You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _docs/administration/user-self-management/manage-pats.md
+4-3Lines changed: 4 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,17 +6,18 @@ sub_group: user-self-management
6
6
toc:true
7
7
---
8
8
9
-
As a user in Codefresh, you must authorize access to your Git provider accounts, and authenticate Git-based actions from Codefresh clients, per provisioned GitOps Runtime. This is done through the Git user token, which is an access token unique to each user. For more details, including required scopes and how the Git user token differs from the Git Runtime token, see[Git tokens in Codefresh]({{site.baseurl}}/docs/security/git-tokens/).
9
+
As a user in Codefresh, you must authorize access to your Git provider accounts and authenticate Git-based actions from Codefresh clients, per provisioned GitOps Runtime. This is done through the Git user token, which is an access token unique to each user. For more details, including required scopes and how the Git user token differs from the Git Runtime token, see[Git tokens in Codefresh]({{site.baseurl}}/docs/security/git-tokens/).
10
10
11
11
The authorization mode depends on the authorization method set up by your account admin:
12
12
* OAuth2
13
13
If your admin has set up authentication with OAuth2, you can authorize access using OAuth2.
14
14
* Git user access token
15
15
You can always generate a Git user token from your Git provider and then add the same to the GitOps Runtime in Codefresh to authorize access.
16
16
17
+
>**NOTE**
18
+
Codefresh GitOps does not officially support fine-grained tokens, or tokens with custom scopes. If you are using such tokens, make sure you turn off validation for Git tokens in the`values.yaml` file, as described in[Skipping token values.yaml]({{site.baseurl}}/docs/security/git-tokens#skipping-token-validation-in-valuesyaml).
17
19
18
-
19
-
##Authorize Git access to GitOps Runtimes
20
+
##Authorize Git access to GitOps Runtimes with OAuth2å
20
21
Authorize Git access to GitOps Runtimes with OAuth2 if your account admin has set up Codefresh as an OAuth application, or alternatively through Git user access tokens from your Git provider.
21
22
22
23
If you have access to more than one GitOps Runtime in the same or in different accounts, you can use the same Git user token for all the Runtimes you have access to._You must however authorize access for each GitOps Runtime individually_.
Copy file name to clipboardExpand all lines: _docs/installation/gitops/hybrid-gitops-helm-installation.md
+20-2Lines changed: 20 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -158,7 +158,7 @@ The table below lists the settings validated in the `values` file.
158
158
{: .table .table-bordered .table-hover}
159
159
|**Setting**|**Validation**|
160
160
| --------------| --------------|
161
-
|**userToken**|If explicitly defined, or defined as a`secretKeyRef` which exists in the currentk8s context and the defined namespace.|
161
+
|**userToken**|If explicitly defined, or defined as a`secretKeyRef` which exists in the currentK8s context and the defined namespace.|
162
162
|**Account permissions**|If the user has admin permissions for the account in which they are installing the runtime.|
163
163
|**Runtime name**|If defined, and is unique to the account.|
164
164
|**Access mode**|{::nomarkdown}<ul><li>For tunnel-based (the default), if <codeclass="highlighter-rouge">accountId</code> is defined, and matches the account of the <codeclass="highlighter-rouge">userToken</code> defined in the file.</li><li>For ingress-based, if the hosts array contains at least one entry that is a valid URL (successful HTTP GET).</li><li>If both tunnel-based and ingress-based access modes are disabled, if <codeclass="highlighter-rouge">runtime.ingressUrl</code> is defined.</li></ul>{:/}|
@@ -175,7 +175,7 @@ where:
175
175
176
176
###Disable global installation validation
177
177
You may want to disable automated validation for specific scenarios, such as to address false-negatives.
178
-
Do so by either adding the flag to the Helm install command or adding the relevant section to the values file.
178
+
Do so by either adding the flag to the Helm install command or adding the relevant section to the`values` file.
179
179
180
180
181
181
#####In install command
@@ -213,6 +213,24 @@ global:
213
213
{% endraw %}
214
214
{% endhighlight %}
215
215
216
+
###Disabling validation for custom/fine-grained Git tokens
217
+
If you use tokens with custom scopes, or GitHub's fine-grained tokens (currently not officially supported by Codefresh),_skip token validation_ to avoid validation failures when installing GitOps Runtimes.
218
+
219
+
Add the`skipGitPermissionValidation` flag to your`values.yaml` file:
220
+
221
+
```yaml
222
+
app-proxy:
223
+
config:
224
+
skipGitPermissionValidation:"true"
225
+
```
226
+
227
+
If you set this flag, make sure that:
228
+
1. The Git user token defined for the GitOps Runtime (the token defined for`runtime-repo-creds-secret`), has read and write access to the Shared Configuration Repository.
229
+
1. The Git user tokens for the different Git repositories associated with the Runtimes have read and write permissions to those Git repositories they expect to write to and read from.
230
+
Read more on configuring the repositories with multiple `repo-creds` secrets in [Argo CD Repositories](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories).
231
+
232
+
For details on Git token usage, see [Git tokens]({{site.baseurl}}/docs/security/git-tokens/).
Copy file name to clipboardExpand all lines: _docs/security/git-tokens.md
+22-22Lines changed: 22 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,12 +11,12 @@ toc: true
11
11
12
12
13
13
14
-
Codefresh requires two types of Git tokens for authentication in GitOps, a Git Runtime token, and a Git user token. The Runtime and user tokens are both Git access tokens used for different purposes. See[Git Runtime tokens versus Git user tokens in Codefresh](#git-runtime-tokens-versus-git-user-tokens-in-codefresh) and[Interaction between Git tokens and secrets](#interaction-between-git-tokens-and-secrets).
14
+
Codefresh requires two types of Git tokens for authentication in GitOps, a Git Runtime token, and a Git user token. The Runtime and user tokens are both Git access tokens used for different purposes. See[Git Runtime tokens versus Git user tokens in Codefresh](#git-runtime-tokens-versus-git-user-tokens-in-codefresh).
15
15
* The[Git Runtime token](#git-runtime-token-scopes) is mandatory for every GitOps Runtime. It must be provided during the Runtime installation, and is typically associated with a service/robot account.
16
16
* The[Git user token](#git-user-access-token-scopes) is an access token that is unique to every user in the Codefresh platform. It is required after installation for every Runtime which the user has access to.
17
17
18
18
>**IMPORTANT**
19
-
At all times,_bothtokens are always securely stored on your cluster_ and never stored locally on our platform.
19
+
_Bothtokens are always securely stored on your cluster_ and never locally on our platform.
20
20
21
21
Users can also create and use Git tokens with custom scopes for both GitOps Runtimes and for Git repositories associated with the Runtimes that they need to access. See[Git user tokens with custom scopes](#git-user-tokens-with-custom-scopes).
22
22
@@ -31,7 +31,7 @@ The table below summarizes the main differences between the Git Runtime token an
31
31
| Managed by| Admin at account-level| User|
32
32
| Associated Account Type| (Recommended)[Service account or robot account](#use-a-servicerobot-account-for-gitops-runtimes)| User account|
33
33
34
-
##Interaction betweenGittokens and secrets
34
+
##Gittoken conversion to secret
35
35
Codefresh needs access to Git repositories for reading and writing to configuration and resource manifests. This section elaborates on how Git providers and repositories with Git tokens for authentication to .
36
36
37
37
@@ -69,7 +69,8 @@ The table below lists the scopes required for Git Runtime tokens for the differe
69
69
70
70
###Git Runtime token in values.yaml
71
71
72
-
You also have the option to directly add your Git Runtime token, or a reference to the secret that contains the Runtime secret, to`values.yaml` (typically the latter).
72
+
You can directly add the Git Runtime token, or a reference to the Runtime secret, to your`values.yaml`.
73
+
73
74
74
75
To skip token validation both during installation and upgrade in this scenario, add the`skipValidation` flag to`values.yaml`.
75
76
@@ -87,7 +88,7 @@ If you set the flag to skip validation, _the onus is on you to provide a valid a
87
88
88
89
## Git user access token scopes
89
90
The table below lists the scopes required for Git user access tokens for the different Git providers.
90
-
As with the Git Runtime token, you can create and use Git user tokens with custom scopes per GitOps Runtime, and per Git repository to which the Runtime has access.
91
+
As with the Git Runtime token, you can create and use Git user tokens with custom scopes per GitOps Runtime and per Git repository to which the Runtime has access.
91
92
92
93
93
94
| Git provider | Required scopes for Git user token |
@@ -97,14 +98,11 @@ As with the Git Runtime token, you can create and use Git user tokens with custo
97
98
| Bitbucket Cloud and Bitbucket Server | {::nomarkdown} <ul><li>Account: <code class="highlighter-rouge">Read</code></li><li>Workspace membership: <code class="highlighter-rouge">Read</code></li><li>Webhooks: <code class="highlighter-rouge">Read and write</code></li><li>Repositories: <code class="highlighter-rouge">Write, Admin </code></li></ul>{:/}|
98
99
99
100
100
-
### Git user tokens with custom scopes
101
-
Codefresh validates Git user tokens and their associated scopes when authorizing Git actions for the Runtime.
102
-
103
-
104
-
If you require custom scopes in Git user tokens that don't meet the default Codefresh requirements, you can create Git user tokens with custom scopes. You may want to have Git user tokens without`admin` scopes, or use the new fine-grained tokens for GitHub (currently not officially supported by Codefresh).
105
-
106
-
Codefresh provides the `skipGitPermissionValidation` flag which you can add to your `values.yaml` file to bypass token validation for such cases.
101
+
## Skipping token validation in values.yaml
102
+
If you use tokens with custom scopes, or GitHub's fine-grained tokens (currently not officially supported by Codefresh), _you must skip token validation in the`values.yaml` file_ to avoid validation failures when installing GitOps Runtimes.
103
+
Codefresh validates the `values.yaml` before initiating Runtime installation.
107
104
105
+
Add the `skipGitPermissionValidation` flag to your `values.yaml` file to bypass token validation:
108
106
109
107
```yaml
110
108
app-proxy:
@@ -113,6 +111,7 @@ app-proxy:
113
111
```
114
112
115
113
If you set this flag, make sure that:
114
+
1. You configure the Git user token for each GitOps Runtime separately.
116
115
1. The Git user token defined for the GitOps Runtime (the token defined for `runtime-repo-creds-secret`), has read and write access to the Shared Configuration Repository.
117
116
1. The Git user tokens for the different Git repositories associated with the Runtimes have read and write permissions to those Git repositories they expect to write to and read from.
118
117
Read more on configuring the repositories with multiple `repo-creds` secrets in [Argo CD Repositories](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories).
@@ -122,21 +121,22 @@ If you set this flag, make sure that:
122
121
If you set the flag to skip validation, _the onus is on you to provide valid and secure tokens_. Codefresh does not validate the tokens whenever Git Runtime and Git user tokens are updated.
123
122
{{site.data.callout.end}}
124
123
125
-
### Use same Git user tokens for multiple GitOps Runtimes
126
-
If a user has access to multiple GitOps Runtimes in the same or in different accounts in Codefresh, they can use either the same Git user token to authenticate and authorize all the Runtimes to which they have access.
124
+
## Best practices for Git token usage
127
125
128
-
>**NOTE**
129
-
The user must configure the Gitusertokenforeach GitOps Runtime separately.
126
+
### Use a service/robot account for GitOps Runtimes
127
+
For GitOps Runtime installation, we recommend using an account not related to any specificuserin your organization. Service/robot accounts are idealforthis purpose, as they provide secure authentication, restricted permissions, and centralized management.
130
128
131
-
### Manage Git user tokens
132
-
User can manage their Git user tokens for Runtimes, as described in [Managing Git PATS]({{site.baseurl}}/docs/administration/user-self-management/manage-pats/).
129
+
You need to create a service or robot account with your Git provider, generate the Git Runtime token, and use this account exclusively to install GitOps Runtimes.
133
130
131
+
### Use the same Git user tokens for multiple GitOps Runtimes
132
+
If a user has access to multiple GitOps Runtimes, either within the same or across different Codefresh accounts, they can use the same Git user token to authenticate and authorize all the Runtimes to which they have access. This approach simplifies token management and ensures consistency in authentication.
134
133
135
-
## Use a service/robot account for GitOps Runtimes
136
-
For GitOps Runtime installation, we recommend using an account not related to any specific user in your organization.
137
-
Service/robot accounts are ideal for this purpose, as they provide secure authentication, restricted permissions, and centralized management.
134
+
>****NOTE**
135
+
The user must configure the Git user token for each GitOps Runtime separately.
136
+
137
+
### Manage Git user tokens
138
+
Users can manage their Git user tokens for Runtimes, as described in [Managing Git PATS]({{site.baseurl}}/docs/administration/user-self-management/manage-pats/).
138
139
139
-
You need to create a service or robot account with your Git provider, generate the Git Runtime token, and use this account exclusively to install GitOps Runtimes.